WordPress Plugin Vulnerabilities

Web Invoice <= 2.1.3 - Authenticated SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well

Proof of Concept

When logged in with a user allowed to Manage invoice (default admin but can be changed via the plugin's settings), open the following URL

https://example.com/wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log

Affects Plugins

Plugin icon
web-invoice
No known fix

References

CVE
CVE-2022-4371
URL
https://bulletin.iese.de/post/web-invoice_2-1-3_1

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Submitter website
https://www.iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
45f43359-98c2-4447-b51b-2d466bad8261

Timeline

Publicly Published
2022-12-12 (about 1 years ago)
Added
2022-12-12 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)

Other

Published
Title
Published
2023-04-17
Title
Video List Manager <= 1.7 - Admin+ SQL Injection
Published
2022-07-23
Title
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
Published
2023-01-23
Title
WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi
Published
2022-10-24
Title
IP Blacklist Cloud Plugin <= 5.00 - Admin+ SQLi
Published
2024-04-03
Title
Rehub < 19.6.2 - Authenticated (Subscriber+) SQL Injection